Open truegoodwill opened 2 years ago
I'm not sure if I've just got it configured wrongly. Maybe there's something I don't understand yet. Thank you in advance <3
@truegoodwill, when using the http01 challenge type it's necessary to expose your app to the internet in order to letsencrypt finish the handshake.
You can try to change your ingress annotations to:
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
by doing this configuration AWS will create an external LB.
In case you want to keep with only internal LB traffic try to change http01 to dns challenge:
dns01 = [
{
name = "letsencrypt-staging"
namespace = "default"
kind = "ClusterIssuer"
dns_zone = "example.com"
region = "us-east-1" # data.aws_region.current.name
secret_key_ref = "letsencrypt-staging"
acme_server = "https://acme-staging-v02.api.letsencrypt.org/directory"
acme_email = "your@email.com"
}
]
Contact Details (optional)
true@truegoodwill.com
Description. What happened?
Existing:
Expected: Adding the aws-eks-cert-manager module with settings as shown in the linked file above would use the existing ingress controller (perhaps by adding a new rule to it) and existing load balancer to solve the letsencrypt challenge.
Actual: A new ingress and new load balancer were created. The new load balancer was "internal", therefore not reachable for the letsencrypt challenge. Certificates are created but don't pass the final step.
Steps to reproduce
Apply the terraform code linked.
Expected behavior
As above
Actual behavior
As above
Occurrence
Frequently
Relevant log output
No response
Code of Conduct